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(54) CERTIFYING SYSTEM 

(57) An authentication system whereby authentica- 
tion load can be distributed in the network without shar- 
ing secret information of users is provided. 

The system has a single master authentication 
center arranged in the network, the master authentica- 
tion center sharing with the user a user secret key, and 
a plurality of slave authentication centers sharing with 
the master authentication center respective secret keys 
different from the user secret key. The master authenti- 
cation center authenticates the user by using the user 

Fig. 2 

(D REQUEST AND ISSUANCE OF USER CERTIFICATE 

<D REQUEST AND ISSUANCE OF SERVICE UTILIZATION PERMISSION 

(3) REQUEST AND ENJOYMENT OF NETWORK SERVICE 



secret key and issues a certificate information which 
certifies legitimation of the user, to the user if the user is 
authenticated as a legitimate user. The slave authenti- 
cation center authenticates the certificate information 
from the user and issues a permission information 
which allows an access to a specified server or an appli- 
cation server in the network, to the user if the user is 
authenticated as a legitimate user. 
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Description 

Technical Field 

The present invention relates to an authentication 
system for identifying a user by network when the user 
intends to get network services. 

Background Art 

In order to confirm that a user who requests net- 
work services or communications (hereinafter called as 
a network user) is a legitimate user, it is necessary at 
the network side to authenticate this user. 

A prover is in general identified such that; 

(1) information possessed only by the prover, 

(2) is identified by a verifier by means of a certain 
method, 

where the prover is a person being authenticated and 
the verifier is a person authenticating. 

The information possessed only by the prover (1) 
can be classified to the following two information of; 

(1-1) information artificially provided (password, 
identification number, secret key, etc), and 
(1-2) information based upon individual attribute 
(holograph, fingerprint, voiceprint, retina pattern, 
etc). 

Authentication depending on the information based 
upon individual attribute (1-2) except for the holograph 
is now not appropriate for use in an authentication 
device via a network because of its low receptive capac- 
ity in society, its poor convenience, its poor identification 
ratio and a high manufacturing cost of the authentica- 
tion apparatus. Therefore, in most cases, the informa- 
tion artificially provided (1-1) such as password, secret 
number or secret key are used as the information pos- 
sessed only by the prover. 

The information artificially provided (information 
inherent in user) can be classified, depending upon its 
storing way, to the following three methods of; 

(1-1-1) storing information in mind of the user 
(password, identification number, etc), 
(1-1-2) storing information in a storage possessed 
by the user (for general key, magnetic card, IC card, 
etc), and 

(1-1-3) storing information by combination of (1-1- 
1) and (1-1-2) (cash dispenser provided in a bank- 
ing organ, etc). 

Since the above classification is performed from a 
standpoint of an authentication system, a case wherein 
the user takes a note of his password or identification 
number to his memorandum will be classified to (1-1-1). 



In a computer network, the above-mentioned 
method of storing information in mind of the user (1 -1-1) 
is mainly utilized. However, according to this storing 
method (1-1-1), impersonation can be relatively easily 

5 performed by decoding or stealing the password or 
identification number and also, in most cases, this 
impersonation will not be found out by the person him- 
self until he practically suffers damage. This is because 
the secret information according to this method (1-1-1) 

10 itself may be directly revealed, and thus leakage, steal- 
ing or wiretap of the password or of the identification 
number will be easily succeeded without consciousness 
of the user. 

Contrary to this, according to the method of storing 

is information in a storage possessed by the user (1-1-2), 
since the user can found out loss or stealing of his pos- 
sessed storage and thus possible damage can be fore- 
known, the damage can be prevented from occurring by 
performing an adequate procedure against the loss or 

20 stealing. The storing method (1-1-3) combined by (1-1- 
1) and (1-1-2) will be effective so as to prevent illegality 
even if the possessed storage is stolen. Of course, how- 
ever, the damage will not be prevented from occurring if 
the storage is forged without consciousness of the net- 

25 work and the user. Therefore, it is desired to use a stor- 
age which is difficult to forge. For this aim, an IC card 
with CPU (herein after called as a smart card) which will 
keep high confidentiality is the optimum. 

The method of identifying by the verifier (2) can be 

30 substantially classified, depending upon what kind of 
information does the prover present to the verifier (net- 
work), to the following two methods of; 

(2-1) presenting user's inherent information as it is, 
35 and 

(2-2) presenting a calculation result of the user's 
inherent information. 

However, the method of presenting user's inherent 
40 information (2-1) has disadvantage of easily revealing 
his secret inherent information. In particular, if this 
method is combined with the aforementioned method of 
storing information in mind of user (1-1-1), there may be 
extremely dangerous for revealing the secret inherent 
45 information to public. The method of presenting a calcu- 
lation result of the user's inherent information (2-2) may 
be classified in accordance with kinds of this calcula- 
tion. 

Anyway, the present invention relates to an authen- 
50 tication method of sharing secret user's inherent infor- 
mation between a prover (user) and a verifier (network), 
encrypting and decrypting the information at the user 
and the network, respectively, and then checking identi- 
fication of the decrypted information with the shared 
55 information so as to verify the user. 

It should be noted that it is difficult to combine the 
method of presenting a calculation result of the user's 
inherent information (2-2) with the authentication 
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method using the information based upon individual 
attribute (1-2). 

As is described above, the combination of the stor- 
ing method (1-1-1) with the method of presenting user's 
inherent information (2-1) is the most dangerous, and s 
the combination of the storing method (1-1-3) with the 
method of presenting a calculation result of the user's 
inherent information (2-2) is the safest. An authentica- 
tion system using this latter combined method with 
smart cards is now realized in a part of mobile commu- 10 
nication networks such as GSM (Global System for 
Mobile communications). 

However, according to the system using the method 
of presenting a calculation result of the user's inherent 
information (2-2), since the decryption calculation has is 
to be performed at every authentication process, load of 
the authentication process will be concentrated to an 
authentication device in the network, which manages 
secret information of users. 

In order to avoid such problem, load of the calcula- 20 
tions for authentication can be distributed in a plurality 
of authentication devices by providing the secret infor- 
mation of users to them. However, dispersing the secret 
information of users to the plurality of the authentication 
devices will result not only lowered safety of authentica- 25 
tion but also extremely increased cost for managing and 
for operating the secret information in safe. 

Disclosure of Invention 

30 

It is therefore an object of the present invention to 
provide an authentication system whereby authentica- 
tion load can be distributed in the network without shar- 
ing secret information of users when each of the users 
is verified. 35 

According to the present invention, an authentica- 
tion system adopting an authentication scheme for veri- 
fying a user from a network, by sharing the same secret 
key between the user and the network, encrypting a 
known information using the secret key at the user to 40 
produce first encrypted information, transmitting the first 
encrypted information from the user to the network, 
encrypting the known information using the secret key 
at the network to produce second encrypted informa- 
tion, and collating the transmitted first encrypted infor- 45 
mation with the produced second encrypted information 
at the network, is provided. The system has a single 
master authentication center arranged in the network, 
the master authentication center sharing with the user a 
user secret key, and a plurality of slave authentication so 
centers sharing with the master authentication center 
respective secret keys different from the user secret key. 
The master authentication center authenticates the user 
by using the user secret key and issues a certificate 
information which certifies legitimation of the user, to 55 
the user if the user is authenticated as a legitimate user. 
The slave authentication center authenticates the certif- 
icate information from the user and issues a permission 
information which allows an access to a specified server 



or an application server in the network, to the user if the 
user is authenticated as a legitimate user. 

As will be apparent from the above description, only 
one master authentication center possesses the user 
secret keys other than the respective users, and there- 
fore each of the user secret keys is not shared by a plu- 
rality of users. Furthermore, since the master 
authentication center authenticates the user by using 
this user secret key and issues a certificate information 
which certifies legitimation of the user and the slave 
authentication center authenticates the certificate infor- 
mation from the user and issues a permission informa- 
tion which allows an access to a specified server or an 
application server in the network, authentication load 
can be distributed. 

The application server can execute the role of the 
above-mentioned slave authentication center. In this 
case, the permission information and also the slave 
authentication center can be omitted. 

It is preferred that the system adopts an authentica- 
tion scheme not only for verifying a user from a network, 
by sharing the same secret key between the user and 
the network, encrypting a known information using the 
secret key at the user to produce first encrypted infor- 
mation, transmitting the first encrypted information from 
the user to the network, encrypting the known informa- 
tion using the secret key at the network to produce sec- 
ond encrypted information, and collating the transmitted 
first encrypted information with the produced second 
encrypted information at the network, but also for verify- 
ing the network from the user, by encrypting a known 
information using the secret key at the network to pro- 
duce third encrypted information, transmitting the third 
encrypted information from the network to the user, 
encrypting the known information using the secret key 
at the user to produce fourth encrypted information, and 
collating the transmitted third encrypted information 
with the produced fourth encrypted information at the 
user. This mutual authentication can improve security 
and certainty of authentication. 

It is also preferred that the user has an IC card pro- 
vided with a CPU (smart card), and that the smart card 
executes management of the user secret key and 
encryption and decryption of the information. By using 
such a smart card for managing a user secret key and 
for encrypting information, the secret key will not reveal 
to a client terminal and therefore forgery thereof will 
become quite difficult resulting to keep higher security 
of authentication. 

Preferably, the secret key used for encrypting the 
known information is a key using a random number gen- 
erated at the user. Encryption using this key with a ran- 
dom number will provides more highly security. 

Brief Description of Drawings 

Fig. 1 is a block diagram schematically showing a 
constitution of an embodiment (first embodiment) of 
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an authentication system according to the present 
invention; 

Fig. 2 is a sketch schematically showing three 
phase sequence of authentication processes in the 
embodiment shown in Fig. 1 ; 
Fig. 3 is a sketch showing detail procedure in a first 
authentication phase shown in Fig. 2; 
Fig. 4 is a sketch showing detail procedure in a sec- 
ond authentication phase shown in Fig. 2; 
Fig. 5 is a sketch showing detail procedure in a third 
authentication phase shown in Fig. 2; 
Fig. 6 is a block diagram schematically showing a 
constitution of an another embodiment (second 
embodiment) of an authentication system accord- 
ing to the present invention; 
Fig. 7 is a sketch showing detail procedure in a first 
phase of an example of authentication processes in 
the embodiment shown in Fig. 6; 
Fig. 8 is a sketch showing detail procedure in a sec- 
ond phase of the example of the authentication 
processes in the embodiment shown in Fig. 6; 
Fig. 9 is a sketch showing detail procedure in a first 
phase of an another example of authentication 
processes in the embodiment shown in Fig. 6; 
Fig. 10 is a sketch showing detail procedure in a 
second phase of the another example of the 
authentication processes in the embodiment shown 
in Fig. 6; and 

Fig. 1 1 is a sketch showing content of a certification 
used in the authentication processes in the embod- 
iment shown in Fig. 6. 

Best Mode for Carrying Out the Invention 

Referring to drawings, embodiments according to 
the present invention will be described in detail. 

First Embodiment 

Fig. 1 is a block diagram schematically showing a 
constitution of an embodiment of an authentication sys- 
tem according to the present invention. 

This embodiment utilizes the already mentioned 
method of presenting the calculation result of user's 
inherent information (2-2) and also the already men- 
tioned method of storing the user's inherent information 
in a smart card (1-1-2). According to the present inven- 
tion, however, the method of storing the user's informa- 
tion in mind of the user (1 -1 -1) or the storing method (1 - 
1-3) of combination of (1-1-1) and (1-1-2) may be uti- 
lized. It is not easy and will result to reveal the secret 
information to perform the calculation of the method (2- 
2) by the user himself. Thus, this calculation should be 
done by a possession of the user, having both storing 
and calculation functions, such as a smart card instead 
of the user himself. In this case, the above-mentioned 
storing methods (1-1-2) and (1-1-3) are used. 

In Fig. 1, reference numeral 10 denotes a smart 
card provided with program and file which will be 



described later and possessed by each user, 11 
denotes a card reader/writer for reading information 
from or writing information to the smart card 10, and 12 
denotes a client terminal connected to the reader/writer 

5 11, provided with client side application and authentica- 
tion kernel, respectively. The reader/writer 11 will be 
mounted inside or outside of the client terminal 12. 

The smart card 10 is constituted by an IC card with 
arithmetic function, which consists of a memory having 

w a capacity of for example about 1 6 KB and a CPU of for 
example 8 bits. The client terminal 1 2 is constituted by a 
general purpose work station or a general purpose per- 
sonal computer and connected to a network 13 such as 
for example LAN via a communication line. This client 

15 terminal 1 2 is an access point of the user to the network 

13 and also a terminal for providing network service 
from an application server side. Although only one client 
terminal 12 is illustrated in Fig. 1 , in fact there may be a 
plurality of client terminals having the similar constitu- 
te tion as the terminal 12 and connected via respective 

communication lines. 

A single master authentication center (master AuC) 

14 provided with authentication program which will be 
described later, a plurality of sJave authentication cent- 

25 ers (slave AuCs) 15 provided with authentication pro- 
gram which will be described later, and at least one 
application server (APS) 16 provided with server side 
application and authentication kernel are connected to 
the network 1 3 so as to be able to communicate with the 

30 client terminal 1 2 via this network 13. 

In a database 14a provided for the master authenti- 
cation center 14, the least of user data such as user's 
secret keys, system log, black list of the users and slave 
AuC data such as secret keys of the respective slave 

35 authentication centers 15 are stored. In a database 15a 
provided for the slave authentication center 15, the least 
of APS data such as secret key(s) of the application 
server(s) 16 are stored. The master authentication 
center 14, the slave authentication center 15 and the 

40 application server 16 are constituted by general pur- 
pose work stations, respectively. Communications 
between the general purpose work stations and 
between the general purpose work station and the gen- 
eral purpose personal computer are carried out through 

45 RPC (Remote Procedure Call). 

The memory in the smart card 10 stores a secret 
key inherent in a smart card holder (user secret key Ku). 
The CPU in the smart card 1 0 is programed so as to cal- 
culate a cryptographic function f with this secret key Ku. 

so The network 13 has the only one master authenti- 
cation center 1 4, and the user secret key Ku is held only 
by this master authentication center 14. Both this single 
master authentication center 14 and the slave authenti- 
cation centers 1 5 together have respective secret infor- 

55 mation inherent in the respective slave authentication 
centers 15 (slave AuC secret keys Ks1, Ks2, Ks3,...). 
Also, both the application servers 16 for providing net- 
work services to the users and the slave authentication 
centers 15 together have secret information inherent in 
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every application servers 16 (APS secret keys Ka1, 
Ka2, Ka3....). 

Authentication processes in this embodiment will 
now be described. In the following processes, suppose 
that a user intends to enjoy a desired network service 
from a specific application server 16. 

First, the user inserts his possessing smart card 1 0 
into the reader/writer 1 1 and then accesses the client 
terminal 12 as follows so as to activate the smart card 
10. 

For the card user, a PIN (Personal Identification 
Number) code has been previously defined, and this 
defined PIN code has been stored in the smart card 10. 
The user inputs his PIN code through the client terminal 
12 into the smart card 10 so that coincidence between 
the input PIN code and one stored in the smart card 10 
is checked. This check of the PIN code is executed by 
internal operation of the smart card 1 0. If PIN code input 
is successively failed three times, no more access of 
user capability is possible. Since the memory in the 
smart card 10 is a nonvolatile storage, the number of 
the past successive PIN input failure will be held even if 
the power is off. 

After the smart card 10 is activated by local verifica- 
tion between the user and the smart card 1 0, authenti- 
cation processes are carried out with three phase 
sequence schematically shown in Fig. 2. 

A first phase is ® request and issuance of a user 
certificate. In this first phase, the user side (smart card 
10) requests the master AuC 14 to issue a certification 
information (user certificate) used for executing authen- 
tication procedure with the slave AuC 15. The issued 
user certificate which has a valid period is stored in the 
smart card 10. Prior to accessing the master AuC 14, 
the user side (smart card 10 or client terminal 12) con- 
firms the validity of the already obtained user certificate. 
As long as the user certificate is valid, the authentica- 
tion processes can be jumped to a next second phase 
without accessing the master AuC 14. This causes 
throughput in the master AuC 14 to decrease. 

The second phase is © request and issuance of a 
service utilization license. In this second phase, the 
user side (smart card 1 0) requests, with indicating the 
user certificate, the slave AuC 15 to issue a permission 
information (service utilization license) for utilizing the 
application server 16. The slave AuC 15 will verify the 
User Certification presented by the smart card 10, and 
issue the service utilization permission if verified. 

A third phase is © request and enjoyment of a net- 
work service. In this third phase, the user side (smart 
card 10) requests, with indicating the service utilization 
license, the application server 16 to provide a desired 
network service. The application server 16 will verify the 
indicated service utilization license and provide the 
requested service to the client terminal 12 if the indi- 
cated license is verified. 

Referring to Figs. 3, 4 and 5 which show detail pro- 
cedure in the above-mentioned respective authentica- 



tion phases, each procedure will be described in detail. 
Symbols illustrated in these figures indicate as follows. 



10 



20 



25 



35 



40 



45 



50 



55 



AuC 
IDu 



Ku 
Ks 

Ka 
Ku-s 

Ku-a 

c_addr 

Ts 

Cert 



30 Lie 



A/Res 
I 

X=Y? 

f(data.K) 
f 1 (data,K) 



authentication center 

inherent number assigned to a 

smart card (held by the smart card 

and the master AuC only) 

user secret key (held by the smart 

card and the master AuC only) 

slave AuC secret key (shared by the 

master AuC and each of the slave 

AuCs only) 

APS secret key (shared by slave 
AuC and each of the APSs only) 
secret key between the smart card 
and the slave AuC (disposable key 
generated by master AuC at every 
issuance of User Certificate) 
secret key between the smart card 
and the APS (disposable key gener- 
ated by slave AuC at every issuance 
of Service Utilization License) 
network address of the client termi- 
nal 

time stamp (indicating current time 
or expiring time of valid period) 
user certificate (issued by the mas- 
ter AuC and decrypted only by the 
slave AuC) 

service utilization license (issued by 
the slave AuC and decrypted only by 
the APS) 

access/response message 
process of concatenating data with 
each other 

process of confirming coincidence 
of time stamps X and Y within a pre- 
determined margin 
process of encrypting data with key 
K 

process of decrypting or inversely 
encrypting data with K 



Fig. 3 illustrates procedure in the first phase 0 for 
requesting and issuing a user certificate. As shown in 
this figure, at first, the client terminal 12 generates a 
time stamp Ts1 indicating the current time. The gener- 
ated time stamp Tsl and a network address c_addr of 
this client terminal 12 are transmitted to the smart card 
10. In Fig. 3, this transmission is represented by 
[Tsl ,c_addr]. These transmitted data are concatenated 
with each other in the smart card 10, and then the con- 
catenated data is encrypted by using a user secret key 
Ku previously stored in the smart card 10 to obtain 
A=f(Ts1|c addr.Ku). Then, an inherent card number IDu 
stored in this smart card 10 is read out and transmitted 
to the master AuC 14 with the encrypted A as for an 
authentication request. This transmission is repre- 
sented by [IDu, A] in Fig. 3. The card number IDu is 
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transmitted without encryption. Although all communi- 
cations between the smart card 10 and the master AuC 
14 are executed through the client terminal 12, this cli- 
ent terminal 12 itself cannot analyze the encrypted data. 

The master AuC 14 generates a time stamp Ts2 
indicating a time of receiving the authentication request 
from the client terminal 12. Then, a user secret key Ku 
is inquired from the received card number IDu using the 
database 14a. Then, the encrypted A is decrypted by 
means of a function Ts1 |c_addr=f ^A.Ku) with the 
inquired user secret key Ku to obtain the time stamp Ts1 
of the client terminal 1 2 and the network address c addr. 
Coincidence between the obtained time stamp Ts1 and 
the time stamp Ts2 generated at the master AuC 14 is 
then verified. Since Ts2 is necessarily delayed from 
Ts1 , this collation of coincidence has to be considered 
with a margin of time delay of for example ten seconds. 
If the user secret key Ku used in encryption at the smart 
card side to produce A is incorrect key, the decrypted 
Ts1 will extremely differ from Ts2. Thus, if the decrypted 
Ts1 does not coincide with Ts2 with consideration of the 
margin, failure of the authentication is informed to the 
user side and the process is terminated. 

If the decrypted Ts1 coincides with Ts2 with consid- 
eration of the margin, following procedure for issuing a 
user certificate will be executed. First, at the master 
AuC 1 4, a secret key between the smart card 1 0 and the 
slave AuC 15 Ku-s is generated and then an original 
user certificate Cert(Ku-s,Ts2,c_addr) consisting of Ku- 
s, Ts2 and c_addr. This user certificate Cert is 
encrypted using a slave AuC secret key Ks which is 
shared only by the master AuC and its slave AuC, to 
produce Cert'. Namely, by using a cryptographic func- 
tion f, Cert' is obtained from Cert'=f(Cert,Ku). 

Thereafter, Res is generated by inversely encrypt- 
ing Cert' as well as Ts2 and Ku-s using the user secret 
key Ku, namely from Res=f 1 (Cert*|Ts2|Ku-s ( Ku). The 
generated Res is then returned to the smart card 10 as 
a response message with respect to the access from 
the user ([Res]). Because of lower calculation capacity, 
it is desired that the smart card 10 executes only calcu- 
lation based upon encryption function f. Thus, at the 
master AuC 14, inverse encryption f 1 is executed 
instead of encryption f. 

When the smart card 10 receives the response 
message Res, the received Res is decoded by the func- 
tion f using the user secret key Ku, namely from 
Cert'|Ts2|Ku-s=f(Res,Ku), to extract and store into the 
memory in the smart card 10 the encrypted user certifi- 
cate Cert', the time stamp Ts2 and the secret key Ku-s. 
The extracted time stamp Ts2 is transmitted to the client 
terminal 12 and therein verified, with respect to coinci- 
dence, with the time stamp Ts1 which was generated at 
this terminal 12 (Ts1=Ts2?). Thus, the master AuC 14 is 
verified by the smart card 10 resulting that the smart 
card 10 and the master AuC 14 are mutually authenti- 
cated each other. According to the above-mentioned 
mechanism, the secret key between the smart card and 
the slave AuC Ku-s is used for communication between 



the smart card 10 and the slave AuC 15 without being 
revealed outside the smart card 10. Since Cert' is 
encrypted using the slave AuC secret key Ks, the smart 
card 10 and the client terminal 12 cannot analyze it at 
s all. 

At a next authentication procedure, prior to access- 
ing the master AuC 14, the client terminal 12 read out 
the time stamp Ts2 stored in the smart card 10 and 
compares it with the current time to confirm the validity 

io of the stored user certificate Cert'. As long as the user 
certificate is valid, the authentication processes can be 
jumped the first phase shown in Fig. 3 to the next sec- 
ond phase without accessing the master AuC 14 caus- 
ing throughput in the master AuC 1 4 to decrease. 

75 Fig. 4 illustrates procedure in the second phase @ 
for requesting and issuing a service utilization license. 
As shown in this figure, at first, the client terminal 12 
generates a time stamp Ts3 indicating the current time. 
The generated time stamp Ts3 and a network address 

20 c_addr of this client terminal 12 are transmitted to the 
smart card 10. In Fig. 4, this transmission is repre- 
sented by [Ts3,c_addr]. If this second phase is exe- 
cuted just after the first phase, as Ts3 is equal to Ts1 
with consideration of the margin and c_addr has already 

25 been sent, this process can be omitted. These transmit- 
ted data are concatenated with each other in the smart 
card 10, and then the concatenated data is encrypted 
by using the secret key Ku-s which was transmitted from 
the master AuC 14 with the user certificate Cert and 

30 stored in the smart card 10, to obtain 
A , =f(Ts3|c_addr,Ku-s). Then, the user certificate Cert' is 
transmitted to the slave AuC 15 with the encrypted A'. 
This transmission is represented by [Cert'.Al in Fig. 4. 
Although all communications between the smart card 

35 10 and the slave AuC 1 5 are also executed through the 
client terminal 12, this client terminal 12 itself cannot 
analyze the encrypted data. 

The slave AuC 14 generates a time stamp Ts4 indi- 
cating a time of receiving the access from the client ter- 

40 minal 12. Then, the encrypted user certificate Cert' is 
decrypted by means of a function Cert=f 1 (Cert\Ks) 
using the slave AuC secret key Ks stored in the slave 
AuC 15 to obtain a decrypted Cert. In this decrypted 
user certificate Cert, the time stamp Ts2 indicating the 

45 issuance time of this user certificate Cert, the secret key 
Ku-s and the network address of the client terminal 12 
c_addr are included. Then, the obtained time stamp Ts2 
is checked by the time stamp Ts4 to confirm that the 
user certificate Cert was issued at a time within a prede- 

50 termined period from now. Thus, validity of this user cer- 
tificate Cert is confirmed. 

Then, the encrypted A' is decrypted by means of a 
function Ts3|c_addr=f 1 (A*, Ku-s) with the secret key Ku- 
s contained in the user certificate Cert to obtain the time 

55 stamp Ts3 of the client terminal 12 and the network 
address c_addr. 

Coincidence between the obtained time stamp Ts3 
and the time stamp Ts4 generated at the slave AuC 15, 
and coincidence between c_addr contained in the user 
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certificate Cert and c addr contained in A* are then veri- 
fied. If the user certificate Cert is forged one, since the 
secret key Ku-s and the network address c_addr con- 
tained in this Cert cannot be extracted and also the 
decryption using this key Ku-s cannot be executed, the 
collation will be failed. Thus, in this case, the slave AuC 
15 will not issue a service utilization license Lie and fail- 
ure of the authentication is informed to the user side to 
terminate the process. 

If the collation succeeds, following procedure for 
issuing a service utilization license Lie will be executed. 
First, at the slave AuC 15, a secret key between the 
smart card 10 and a specific application server 16 Ku-a 
is generated and then an original service utilization 
license Lic(Ku-a,Ts4,c_addr) consisting of Ku-a, Ts4 
and c_addr. This service license Lie is encrypted using 
an APS secret key Ka which is shared only by the slave 
AuC and the specific application server, to produce Lie'. 
Namely, by using a cryptographic function f, Lie' is 
obtained from Lic'=f(Lic,Ka). This encrypted service 
license Lie* can be analyzed only by the specific applica- 
tion server having the secret key Ka. 

Thereafter, Res' is generated by inversely encrypt- 
ing Lie' as well as Ts4 and Ku-a using the secret key Ku- 
s, namely from Res'=r 1 (Lic'|Ts4| Ku-a, Ku-s). The gener- 
ated Res' is then returned to the smart card 10 as a 
response message with respect to the access from the 
user ([Res']). 

When the smart card 10 receives the response 
message Res', the received Res' is decoded by the 
function f using the secret key Ku-s, namely from 
Uc'ITsAIKu-asf (Res', Ku-s), to extract and store into the 
memory in the smart card 10 the encrypted service uti- 
lization license Lie', the time stamp Ts4 and the secret 
key Ku-a. The extracted time stamp Ts4 is transmitted 
to the client terminal 12 and therein verified, with 
respect to coincidence, with the time stamp Ts3 which 
was generated at this terminal 12 (Ts3=Ts4?). Thus, 
the slave AuC 15 is verified by the smart card 10 result- 
ing that the smart card 10 and the slave AuC 15 are 
mutually authenticated each other. According to the 
above-mentioned mechanism, the secret key between 
the smart card and the application server Ku-a is used 
for communication between the smart card 10 and the 
application server 16 without being revealed outside the 
smart card 10. Since Lie' is encrypted using the secret 
key Ka, the smart card 10 and the client terminal 12 
cannot analyze it at all. 

Fig. 5 illustrates procedure in the third phase ® for 
requesting and enjoying a network service. As shown in 
this figure, at first, the client terminal 12 generates a 
time stamp Ts5 indicating the current time. The gener- 
ated time stamp Ts5 and a network address c_addr of 
this client terminal 12 are transmitted to the smart card 
10. In Fig. 5, this transmission is represented by 
[Ts5,c_addr]. If this third phase is executed just after the 
second phase, as Ts5 is equal to Ts3 with consideration 
of the margin and c__addr has already been sent, this 
process can be omitted. These transmitted data are 



concatenated with each other in the smart card 10, and 
then the concatenated data is encrypted by using the 
secret key Ku-a which was transmitted from the slave 
AuC 15 with the service utilization license Lie* and 

5 stored in the smart card 10, to obtain 
A"=f(Ts5|c_addr,Ku-a). Then, the service license Lie' is 
transmitted to the application server 16 with the 
encrypted A". This transmission is represented by 
[Lic'.A"] in Fig. 5. Although all communications between 

10 the smart card 1 0 and the application server 1 6 are also 
executed through the client terminal 1 2, this client termi- 
nal 12 itself cannot analyze the encrypted data. 

The application server 16 generates a time stamp 
Ts6 indicating a time of receiving the access from the 

15 client terminal 12. Then, the encrypted service utiliza- 
tion license Lie' is decrypted by means of a function 
Lic=f 1 (Lic',Ka) using the APS secret key Ka stored in 
the application server 16 to obtain a decrypted Lie. In 
this decrypted service utilization license Lie, the time 

20 stamp Ts4 indicating the issuance time of this license 
Lie, the secret key Ku-a and the network address of the 
client terminal 12 c_addr are included. Then, the 
obtained time stamp Ts4 is checked by the time stamp 
Ts6 to confirm that the license Lie was issued at a time 

25 within a predetermined period from now. Thus, validity 
of this license Lie is confirmed. 

Then, the encrypted A" is decrypted by means of a 
function Ts5|c_addr=f~ 1 (A",Ku-a) with the secret key Ku- 
a contained in the license Lie to obtain the time stamp 

30 Ts5 of the client terminal 12 and the network address 
c_addr. 

Coincidence between the obtained time stamp Ts5 
and the time stamp Ts6 generated at the application 
server 16, and coincidence between c_addr contained 

35 in the license Lie and c addr contained in A" are then 
verified. If the service utilization license Lie is forged 
one, since the secret key Ku-a and the network address 
c_addr contained in this license Lie cannot be extracted 
and also the decryption using this key Ku-a cannot be 

40 executed, the collation will be failed. Thus, in this case, 
the application server 16 will not provide a network 
service and failure of the authentication is informed to 
the user side to terminate the process. 

If the collation succeeds, at the application server 

45 1 6, Res" is generated by inversely encrypting Ts6 using 
the secret key Ku-a, namely from Res"=f 1 (Ts6,Ku-a). 
The generated Res" is then returned to the smart card 
10 as a response message with respect to the access 
from the user ([Res"]). 

so When the smart card 10 receives the response 
message Res", the received Res" is decoded by the 
function f using the secret key Ku-a, namely from 
Ts6=f (Res", Ku-a), to extract and store into the memory 
in the smart card 10 the encrypted time stamp Ts6. The 

55 extracted time stamp Ts6 is transmitted to the client ter- 
minal 12 and therein verified, with respect to coinci- 
dence, with the time stamp Ts5 which was generated at 
this terminal 12 (Ts5=Ts6?). Thus, the application 
server 16 is verified by the smart card 10 resulting that 
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the smart card 10 and the application server 16 are 
mutually authenticated each other. If the mutual authen- 
tication succeeds, the application server provides the 
network service to the client terminal 12. 

The above-mentioned authentication procedure is s 
necessary for time synchronization between the master 
AuC 14, the slave AuC 15, the application server 16 and 
the client terminal 12. This is because a time informa- 
tion (time stamp) is used for an authentication data 
(data for cryptographic function) known by both the 
prover and the verifier. Instead of the time information, a 
random number generated at the verifier (network side) 
and transmitted to the user side can be utilized as an 
authentication data, like a challenge-response authenti- 
cation protocol used in GSM. A second embodiment 
according to the present invention, which will be 
described later, uses this protocol. 

In the aforementioned first embodiment, the infor- 
mation to be transmitted from the smart card 10 is 
encrypted directly using the user secret key Ku, the 
slave AuC secret key Ks or the APS secret key Ka. How- 
ever, if a key is produced by encrypting a random 
number R generated at the smart card 10 using the user 
secret key Ku, the slave AuC secret key Ks or the APS 
secret key Ka and the information to be transmitted from 
the smart card 10 is encrypted using this produced 
encrypted key, higher security can be expected. In this 
case, the random number R has to also be transmitted 
to the master AuC 14, the slave AuC 15 or the applica- 
tion server 16. 

Furthermore, although in the aforementioned 
embodiment, individual slave AuC keys Ks are provided 
for the respective slave AuCs, a single slave AuC key Ks 
can be shared by all the slave AuCs. In the latter case, 
however, security will be somewhat lowered. 

Second Embodiment 

Fig. 6 is a block diagram schematically showing a 
constitution of an another embodiment of an authentica- 
tion system according to the present invention. 

In the figure, reference numeral 10 denotes a smart 
card provided with program and file which will be 
described later and possessed by each user, 11 
denotes a card reader/writer for reading information 
from or writing information to the smart card 10, and 12 
denotes a client terminal connected to the reader/writer 
1 1 , provided with client side application and authentica- 
tion kernel, respectively. The readerAwriter 11 will be 
mounted inside or outside of the client terminal 12. 

The smart card 1 0 in this embodiment is constituted 
by an IC card with arithmetic function, which consists of 
a memory having a capacity of for example equal to or 
less than 8 KB and a CPU of for example 8 bits. As hav- 
ing a simpler constitution of this embodiment than that 
of the first embodiment, the smart card 10 in this 
embodiment has the smaller capacity memory. The cli- 
ent terminal 1 2 is constituted by a general purpose work 
station or a general purpose personal computer and 



connected to a network 1 3 such as for example LAN via 
a communication line. This client terminal 12 is an 
access point of the user to the network 13 and also a 
terminal for providing network service from an applica- 
tion server side. Although only one client terminal 12 is 
illustrated in Fig. 6, in fact there may be a plurality of cli- 
ent terminals having the similar constitution as the ter- 
minal 12 and connected via respective communication 
lines. 

An authentication center (AuC) 17 provided with 
authentication program for verifying the user and at 
least one application server (APS) 16 provided with 
server side application for providing services to the user 
are connected to the network 13 so as to be able to 
communicate with the client terminal 12 via this network 
13. 

In a database 17a provided for the authentication 
center 1 7, the least of user data such as user's secret 
keys, system log, black list of the users and secret 
key(s) of the application server(s) 16 are stored. The 
authentication center 17 and the application server 16 
are constituted by general purpose work stations, 
respectively. Communications between the general pur- 
pose work stations and between the general purpose 
work station and the general purpose personal compu- 
ter are carried out through RPC (Remote Procedure 
Call). 

The memory in the smart card 10 stores a secret 
key inherent in a smart card holder (user secret key Ku). 
The CPU in the smart card 10 is programed so as to cal- 
culate a cryptographic function f with this secret key Ku. 

In the network 13, the user secret key Ku is held 
only by the authentication center 1 7. 

Both this authentication center 17 and the applica- 
tion servers 1 6 together have respective secret informa- 
tion inherent in the respective application servers 16 
(APS secret keys Ka1 , Ka2, Ka3,...). 

Authentication processes in this embodiment will 
now be described. In the following processes, suppose 
that a user intends to enjoy a desired network service 
from a specific application server 16. 

First, the user inserts his possessing smart card 10 
into the reader/writer 1 1 and then accesses the client 
terminal 12 as follows so as to activate the smart card 
10. 

For the card user, a PIN code has been previously 
defined, and this defined PIN code has been stored in 
the smart card 1 0. The user inputs his PIN code through 
the client terminal 1 2 into the smart card 1 0 so that coin- 
cidence between the input PIN code and one stored in 
the smart card 10 is checked. This check of the PIN 
code is executed by internal operation of the smart card 
10. If PIN code input is successively failed three times, 
the smart card 10 permits no more access and thus the 
authentication procedure terminates. Since the memory 
in the smart card 10 is a nonvolatile storage, the number 
of the past successive PIN input failure will be held even 
if the power is off. This storage will be cleared if PIN 
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code check is succeeded within successive three times 
inputs. 

After the smart card 1 0 is activated by local verifica- 
tion between the user and the smart card 1 0, authenti- 
cation processes are carried out with following two 
phase sequence. 

A first phase is request and issuance of a user cer- 
tificate. In this first phase, the user side (smart card 10) 
requests the AuC 17 to issue a certification information 
(user certificate) which verifies him. The issued user 
certificate which has a valid period is stored in the smart 
card 10. Prior to accessing the AuC 17, the user side 
(smart card 1 0 or client terminal 1 2) confirms the validity 
of the already obtained user certificate. As long as the 
user certificate is valid, the authentication processes 
can be jumped to a next second phase without access- 
ing the AuC 1 7. This causes throughput in the AuC 1 7 to 
decrease. 

The second phase is request and enjoyment of a 
network service. In this phase, the user side (smart card 
10) requests, with indicating the user certificate, the 
application server 16 to provide a desired network serv- 
ice. The application server 16 will verify the indicated 
user certificate and provide the requested service to the 
client terminal 12 if the indicated certificate is verified. 

Figs. 7 and 8 show an example of detail procedure 
in the above-mentioned respective authentication 
phases. Figs. 9 and 10 show an another example of 
detail procedure wherein a mutual authentication mech- 
anism is adopted. Combination of procedure of Fig. 7 
and that of Fig. 10, and combination of procedure of Fig. 
9 and that of Fig. 8 can be possible. 

Fig. 7 illustrates procedure in the first phase for 
requesting and issuing a user certificate. As shown in 
this figure, at first, an inherent card number IDu stored 
in this smart card 10 . is read out and transmitted to the 
AuC 17 with a name of the application server APS 
NAME which will provide a desired network service as 
an authentication request. This transmission is repre- 
sented by [IDu.APS NAME] in Fig. 7. The card number 
IDu and the APS NAME are transmitted without encryp- 
tion. The APS NAME will be referred when a user certif- 
icate Cert and an authentication information Aulnfb are 
issued later. 

The AuC 1 7 generates a random number Rnd and 
transmits it (called a challenge) to the smart card 10. 
The smart card 10 then encrypts the received random 
number Rnd using the user secret key Ku stored in its 
memory to generate a response Res by means of a 
function Res=f(Rnd,Ku). The generated response Res 
is returned to the AuC 1 7. The AuC 1 7 inquires the user 
secret key Ku from the received card number IDu using 
the database 1 7a, and then, executes the same encryp- 
tion of the random number Rnd as done in the smart 
card 10 using the user secret key Ku to generate Res' 
by means of a function Res' =f( Rnd, Ku). The generated 
Res' is then compared with the response Res transmit- 
ted from the smart card 10. If the user is a legitimate 
user and the user secret key Ku is correct one, Res will 



coincides with Res'. However, if the user secret key Ku 
is incorrect, the calculated results Res and Res' will not 
coincide with each other, in this case, failure of the 
authentication is informed to the user side and the proc- 

5 ess is terminated. 

If the encrypted Res* coincides with Res, a user 
certificate Cert and an authentication information Aulnfo 
are issued for the smart card 1 0. Contents of the issued 
user certificate Cert and authentication information 

10 Aulnfo are indicated in Fig. 11 as an example. 

In order to prevent from fraudulent, the user certifi- 
cate Cert is encrypted using an APS secret key Ka 
which is shared only by the AuC 1 7 and the APS 1 6 cor- 
responding to the application server name APS NAME, 

15 to produce Cert'. Namely, by using a cryptographic func- 
tion f, Cert' is obtained from Cert =f (Cert, Ka). The 
authentication information AulNfo and the encrypted 
user certificate Cert' are transmitted to the smart card 
10 and stored therein. Since the encrypted user cert'rfi- 

20 cate Cert' cannot be analyzed at the user side, neces- 
sary items such as an expiring time are transmitted in 
duplicate. 

Although the first phase in a challenge-response 
authentication scheme has been described in detail, an 
25 authentication system according to the present inven- 
tion can be achieved by a mutual authentication scheme 
wherein the user side and the network side authenticate 
each other. 

Fig. 9 illustrates procedure in the first phase in the 

30 mutual authentication mechanism. As shown in this fig- 
ure, at first, an inherent card number IDu stored in this 
smart card 10 is read out and transmitted to the AuC 1 7 
with a name of the application server APS NAME which 
will provide a desired network service as an authentica- 

35 tion request. This transmission is represented by 
[IDu.APS NAME] in Fig. 9. 

The AuC 1 7 generates a random number Rnd1 and 
transmits it to the smart card 10. The smart card 10 
encrypts the received random number Rnd1 using the 

40 user secret key Ku stored in its memory to generate a 
response Resl by means of a function 
Res1=f(Rnd1,Ku). The smart card 10 also generates a 
random number Rnd2. The generated response Res1 
and the random number Rnd2 are transmitted to the 

45 AuC 17. 

The AuC 1 7 inquires the user secret key Ku from 
the received card number IDu using the database 17a, 
and then, executes the same encryption of the random 
number Rnd1 as done in the smart card 10 using the 

so user secret key Ku to generate ResV by means of a 
function Resl'=f(Rnd1,Ku). The generated Res1' is 
then compared with the response Res1 transmitted 
from the smart card 10. If the user is a legitimate user 
and the user secret key Ku is correct one, Res1 will 

55 coincides with Res1 '. However, if the user secret key Ku 
is incorrect, the calculated results Res1 and ResV will 
not coincide with each other. In this case, failure of the 
authentication is informed to the user side and the proc- 
ess is terminated. 
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If the encrypted ResV coincides with Res1, follow- 
ing procedure for authenticating the AuC 17 by the 
smart card 1 0 is carried out. First, the AuC 1 7 encrypts 
the random number Rnd2 transmitted from the smart 
card 10 using the user secret key Ku to generate a 
response Res2 by means of a function 
Res2=f(Rnd2,Ku). Then, the AuC 17 issues a user cer- 
tificate Cert and an authentication information Aulnfo for 
the smart card 10. Contents of the issued user certifi- 
cate Cert and authentication information Aulnfo are indi- 
cated in Fig. 11 as an example. 

In order to prevent from fraudulent, the user certifi- 
cate Cert is encrypted using a APS secret key Ka which 
is shared only by the AuC 17 and the APS 16 corre- 
sponding to the application server name APS NAME, to 
produce Cert'. Namely, by using a cryptographic func- 
tion f, Cert' is obtained from Cert*=f(Cert,Ka). The 
response Res2, the authentication information AulNfo 
and the encrypted user certificate Cert' are transmitted 
to the smart card 1 0. Since the encrypted user certifi- 
cate Cert' cannot be analyzed at the user side, neces- 
sary items such as an expiring time are transmitted in 
duplicate. The smart card 10 executes the same 
encryption of the random number Rnd2 as done in the 
AuC 17 using the user secret key Ku to generate Res2' 
by means of a function Res2'=f(Rnd2,Ku). The gener- 
ated Res2' is then compared with the response Res2 
transmitted from the AuC 17. If the AuC is a legitimate 
authentication center, Res2 will coincides with Res2\ 
Therefore, in this case, the encrypted user certificate 
Cert' and the authentication information Aulnfo are 
stored in the memory in the smart card 1 0. However, if 
the calculated results Res2 and Res2' do not coincide 
with each other, it is judged that the AuC 1 7 is not legit- 
imate one and thus the authentication is failed. In this 
case, the issued user certificate Cert' and authentica- 
tion information Aulnfo are canceled. 

In order to protect the authentication information 
Aulnfo and the user certificate Cert* from being eaves- 
dropped and fraudulently accessed by a third party 
when they are transmitted from the AuC 1 7 to the smart 
card 10, the authentication information Aulnfo and the 
user certificate Cert* may be encrypted by a session key 
shared by the AuC 17 and the smart card 10. It is 
desired to produce a session key in accordance with the 
random numbers Rnd1 and Rnd2 and the user secret 
key Ku shared only by the AuC 1 7 and the smart card 
10. 

Fig. 8 illustrates procedure in the second phase for 
requesting and enjoying a network service. As shown in 
this figure, at first, the encrypted user certificate Cert' 
which has been stored in the smart card 1 0 is read out 
and transmitted to the application server 16. This trans- 
mission is represented by [Cerf] in Fig. 8. It should be 
noted that the user certificate Cert' can be issued only 
by the AuC 17 and can be evaluated only by the appli- 
cation server 16, and that not only the smart card 10 but 
also the client terminal 12 cannot analyze it. 



The application server 16 decrypts the transmitted 
user certificate Cert' using its APS secret key Ka to 
extract the original user certificate Cert. Then, the appli- 
cation server 1 6 evaluates or verifies the user certificate 

5 Cert by checking known or estimative information such 
as application server name, issuance time or validity 
time period contained in the certificate Cert. For exam- 
ple, if the certificate Cert is forged one, no significant 
information can be extracted there from and thus analy- 
ze sis of the certificate Cert fails. Even if the certificate Cert 
is legitimate one, this certificate Cert may be dealt with 
invalid when the validity time is expired. 

Since the user certificate Cert' encrypted by using 
the APS secret key Ka is transmitted through the net- 

15 work when the smart card 10 accesses to the applica- 
tion server 16, a fraudulent third party may copies the 
encrypted certificate Cert' and may use it by stealth. In 
order to prevent such fraudulent usage, a challenge- 
response authentication is also executed between the 

20 smart card 10 and the application server 16. Namely, 
the application server 16 generates a random number 
Rnd and transmits it to the smart card 10. The smart 
card 10 encrypts the received random number Rnd 
using the user and APS shared key Ku-a contained in 

25 the authentication information sent from the AuC 17 
when the user certificate was issued, to generate a 
response Res by means of a function Res=f( Rnd, Ku-a). 
The generated response Res is transmitted to the appli- 
cation server 16. 

30 The application server 16 executes the same 
encryption of the random number Rnd as done in the 
smart card 10 using the user and APS shared key Ku-a 
which was contained in the decrypted used certificate 
Cert to generate Res' by means of a function 

35 Res'=f (Rnd, Ku-a). The generated Res' is then com- 
pared with the response Res transmitted from the smart 
card 10. If the user is a legitimate user, Res will coin- 
cides with Res'. However, if the user is a fraudulent user, 
the calculated results Res and Res' will not coincide 

40 with each other. In this case, although the certificate 
Cert is correct, it may be used by stealth. Thus, failure of 
the authentication is informed to the user side and the 
process is terminated. 

If the encrypted Res' coincides with Res, the 

45 authentication is succeeded and the network service 
requested by the user is provided to the client terminal 
12. 

The user and APS shared key Ku-a is contained in 
both the user certificate and the authentication informa- 

so tion sent from the AuC 17 to the smart card 10 during 
the accessing procedure to the AuC 17, shown in Figs. 
7 and 9. This is also apparent from Fig. 1 1 . Since the 
user certificate is decrypted only by the application 
server 16 having the APS secret key Ka and the authen- 

55 tication information is stored in the smart card 10 not 
stored in the application server 16, this user and APS 
shared key Ku-a is sent in duplicate. Even if a third party 
steals the user certificate encrypted by the APS secret 
key Ka, he cannot analyze it. Therefore, he cannot 
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encrypt the random number Rnd by using the user and 
APS shared key Ku-a. 

Fig. 10 illustrates procedure in the second phase in 
the mutual authentication mechanism. As shown in this 
figure, at first, at first, the encrypted user certificate Cert' s 
which has been stored in the smart card 10 is read out 
and transmitted to the application server 16. This trans- 
mission is represented by [Cert] in Fig. 10. It should be 
noted that the user certificate Cert' can be issued only 
by the AuC 17 and can be evaluated only by the appli- 10 
cation server 16, and that not only the smart card 10 but 
also the client terminal 12 cannot analyze it. 

The application server 16 decrypts the transmitted 
user certificate Cert' using its APS secret key Ka to 
extract the original user certificate Cert. Then, the appli- is 
cation server 16 evaluates or verifies the user certificate 
Cert by checking known or estimative information such 
as application server name, issuance time or validity 
time period contained in the certificate Cert. For exam- 
ple, if the certificate Cert is forged one, no significant 20 
information can be extracted there from and thus analy- 
sis of the certificate Cert fails. Even if the certificate Cert 
is legitimate one, this certificate Cert may be dealt with 
invalid when the validity time is expired. 

Since the user certificate Cert* encrypted by using 25 
the APS secret key Ka is transmitted through the net- 
work when the smart card 10 accesses to the applica- 
tion server 16, a fraudulent third party may copies the 
encrypted certificate Cert* and may use it by stealth. In 
order to prevent such fraudulent usage, the mutual 30 
authentication is executed between the smart card 1 0 
and the application server 16. Namely, the application 
server 16 generates a random number Rnd1 and trans- 
mits it to the smart card 10. The smart card 10 encrypts 
the received random number Rndl using the user and 35 
APS shared key Ku-a contained in the authentication 
information sent from the AuC 17 when the user certifi- 
cate was issued, to generate a response Res by means 
of a function Res1=f(Rnd1,Ku-a). The smart card 10 
also generates a random number Rnd2. The generated 40 
response Res1 and the random number Rnd2 are 
transmitted to the application server 16. 

The application server 16 executes the same 
encryption of the random number Rnd as done in the 
smart card 10 using the user and APS shared key Ku-a 45 
which was contained in the decrypted used certificate 
Cert and extracted therefrom, to generate ResV by 
means of a function Res1 =f ( Rnd 1, Ku-a). The gener- 
ated Resr is then compared with the response Res1 
transmitted from the smart card 1 0. If the user is a legit- so 
imate user, Res1 will coincides with Resr. However, if 
the user is a fraudulent user, the calculated results Res1 
and ResV will not coincide with each other. In this case, 
although the certificate Cert is correct, it may be used 
by stealth. Thus, failure of the authentication is informed ss 
to the user side and the process is terminated. 

If the encrypted ResV coincides with Res1, follow- 
ing procedure for authenticating the application server 
16 by the smart card 10 is carried out. First, the applica- 



tion server 1 6 encrypts the random number Rnd2 trans- 
mitted from the smart card 10 using the user and APS 
shared key Ku-a to generate a response Res2 by 
means of a function Res2=f(Rnd2,Ku-a). Then, the gen- 
erated Res2 is transmitted to the smart card 10. 

The smart card 1 0 executes the same encryption of 
the random number Rnd2 as done in the application 
server 16 using the user and APS shared key Ku-a to 
generate Res2* by means of a function 
Res2=f(Rnd2,Ku-a). The generated Res2* is then com- 
pared with the response Res2 transmitted from the 
application server 16. If the application server is a legit- 
imate one, Res2 will coincides with Res2\ However, if 
the application server is an incorrect one, the calculated 
results Res2 and Res2' will not coincide with each other. 
In this case, failure of the authentication is informed to 
the user and the process is terminated. 

If the encrypted Res2* coincides with Res2, the 
mutual authentication is succeeded and the network 
service requested by the user is provided to the client 
terminal 12. 

In this second embodiment, it is important that the 
user certificate which can be used for one or more times 
is securely stored without being stolen by a third party. 
For this purpose, it is effective to execute cryptographic 
function within an IC card provided with a CPU (smart 
card) which can subjectively manage accesses and to 
store a user certificate in the card. 

As is described in detail, according to the present 
invention, an authentication system adopting an 
authentication scheme for verifying a user from a net- 
work, by sharing the same secret key between the user 
and the network, encrypting a known information using 
the secret key at the user to produce first encrypted 
information, transmitting the first encrypted information 
from the user to the network, encrypting the known 
information using the secret key at the network to pro- 
duce second encrypted information, and collating the 
transmitted first encrypted information with the pro- 
duced second encrypted information at the network, 
has system comprising a single master authentication 
center arranged in the network, the master authentica- 
tion center sharing with the user a user secret key, and 
a plurality of slave authentication centers sharing with 
the master authentication center respective secret keys 
different from the user secret key. The master authenti- 
cation center authenticates the user by using the user 
secret key and issues a certificate information which 
certifies legitimation of the user, to the user if the user is 
authenticated as a legitimate user. The slave authenti- 
cation center authenticates the certificate information 
from the user and issues a permission information 
which allows an access to a specified server or an appli- 
cation server in the network, to the user if the user is 
authenticated as a legitimate user. 

Therefore, in case of verifying a user by presenting 
a calculation result of the user's inherent information, 
authentication processes can be executed by distrib- 
uted servers in the network without sharing user's 
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secret information. In other words, according to the 
present invention, by using a user certificate which is 
valid for a predetermined period or predetermined 
times, authentication processes can be executed by dis- 
tributed servers in the network without sharing user's 
secret information. A part of authentication load can be 
shared by application servers instead of slave authenti- 
cation centers. 

In near future, decisions or purchases and sales via 
a wide range network such as Internet or CATV network 
will greatly increase, and therefore requests of user 
authentications via a plurality of networks or within a 
single network will extremely increase. According to the 
present invention, a very effective authentication sys- 
tem can be provided under these circumstances. 

Many widely different embodiments of the present 
invention may be constructed without departing from 
the spirit and scope of the present invention. It should 
be understood that the present invention is not limited to 
the specific embodiments described in the specification, 
except as defined in the appended claims. 

Claims 

1. An authentication system adopting an authentica- 
tion scheme for verifying a user from a network, by 
sharing the same secret key between the user and 
the network, encrypting a known information using 
said secret key at the user to produce first 
encrypted information, transmitting the first 
encrypted information from the user to the network, 
encrypting the known information using said secret 
key at the network to produce second encrypted 
information, and collating the transmitted first 
encrypted information with the produced second 
encrypted information at the network, 

said system comprising a single master 
authentication center arranged in the network, said 
master authentication center sharing with the user 
a user secret key, and a plurality of slave authenti- 
cation centers sharing with said master authentica- 
tion center respective secret keys different from the 
user secret key, 

said master authentication center authenti- 
cating the user by using said user secret key and 
issuing a certificate information to the user if the 
user is authenticated as a legitimate user, said cer- 
tificate information certifying legitimation of the 
user, said slave authentication center authenticat- 
ing the certificate information from the user and 
issuing a permission information which allows an 
access to a specified server or an application 
server in the network, to the user rf the user is 
authenticated as a legitimate user. 

2. The authentication system as claimed in claim 1, 
wherein said system adopts a mutual authentica- 
tion scheme for further verifying the network from 
the user, by encrypting a known information using 



said secret key at the network to produce third 
encrypted information, transmitting the third 
encrypted information from the network to the user, 
encrypting the known information using said secret 
5 key at the user to produce fourth encrypted infor- 

mation, and collating the transmitted third 
encrypted information with the produced fourth 
encrypted information at the user. 

w 3. The authentication system as claimed in claim 1, 
wherein said user has an IC card provided with a 
CPU, and wherein the IC card executes manage- 
ment of said user secret key and encryption and 
decryption of the information. 

15 

4. The authentication system as claimed in claim 1, 
wherein said secret key used for encrypting the 
known information is one using a random number 
generated at the user. 

20 

5. An authentication system adopting an authentica- 
tion scheme for verifying a user from a network, by 
sharing the same secret key between the user and 
the network, encrypting a known information using 

25 said secret key at the user to produce first 
encrypted information, transmitting the first 
encrypted information from the user to the network, 
encrypting the known information using said secret 
key at the network to produce second encrypted 

30 information, and collating the transmitted first 
encrypted information with the produced second 
encrypted information at the network, 

said network issuing a certif icate information 
to the user if the user is authenticated as a legiti- 

35 mate user, said certificate information certifying 
legitimation of the user and being valid within a pre- 
determined period or predetermined times. 

6. The authentication system as claimed in claim 5, 
40 wherein said user has an IC card provided with a 

CPU, and wherein the IC card executes manage- 
ment of said user secret key, management of the 
certificate information issued at the network, and 
encryption and decryption of the information. 

45 

7. The authentication system as claimed in claim 5, 
wherein said system adopts a mutual authentica- 
tion scheme for further verifying the network from 
the user, by encrypting a known information using 

so said secret key at the network to produce third 
encrypted information, transmitting the third 
encrypted information from the network to the user, 
encrypting the known information using said secret 
key at the user to produce fourth encrypted infor- 

55 mation, and collating the transmitted third 
encrypted information with the produced fourth 
encrypted information at the user. 
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